ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Shotstack

v1.0.2

Shotstack integration. Manage Deals, Persons, Organizations, Leads, Projects, Pipelines and more. Use when the user wants to interact with Shotstack data.

0· 109·0 current·0 all-time
byVlad Ursul@gora050
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The skill name and SKILL.md describe a Shotstack (video API) integration using the Membrane CLI, but the short description (shown in the registry metadata) references managing 'Deals, Persons, Organizations, Leads, Projects, Pipelines' — wording typical of a CRM. This is an unexplained inconsistency: either the registry metadata is wrong or the skill was copied/repurposed without updating its description.
Instruction Scope
The SKILL.md provides concrete CLI instructions (install @membranehq/cli, membrane login, membrane connect/action/request). It does not ask the agent to read unrelated system files, environment variables, or transmit arbitrary local data. The primary runtime behavior is to call the Membrane CLI and direct the user to authenticate via browser.
Install Mechanism
There is no formal install spec in the registry (instruction-only), but SKILL.md recommends running `npm install -g @membranehq/cli`. Installing a global npm CLI is a normal step for a CLI-based integration but does grant privilege to write to the system (global npm install). Confirm the npm package identity (publisher, package page) before installing.
Credentials
The skill declares no required environment variables or credentials. SKILL.md explicitly advises against asking users for API keys and relies on Membrane-managed connections, which is proportionate. However, because Membrane handles credentials server-side, installing and using this connector means you will be delegating authentication to Membrane's service — verify you trust that service.
Persistence & Privilege
The skill is not always-on and is user-invocable. It does not request elevated platform privileges in the metadata. There is no evidence the skill modifies other skills or system-wide settings.
What to consider before installing
Do not install or run the recommended CLI until you resolve the metadata mismatch. Ask the publisher/registry maintainer whether this skill is intended for Shotstack (video) or for a CRM (deals/people). If you proceed: (1) verify the @membranehq/cli package source on npm and the GitHub repo to ensure it's the official package; (2) prefer installing in a sandbox/container rather than doing a global npm install immediately; (3) remember Membrane will broker credentials server-side — confirm you trust their service and review their privacy/security docs; (4) if the registry listing is wrong or confusing, prefer not to install until corrected.

Like a lobster shell, security has layers — review code before you run it.

latestvk97fa9t99v1f0vjv7nhxt0c9m1842khb

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments